Can a virus be in a memory stick?

[sysprog]

About the original question. I was always told that just files copied doesn't trasfer a virus. There has to be a program or app running in order to get you the virus (at least for ordinary old fashioned viruses - not cookies, malware, trojan etc. ... - I am not sure, not an expert either). Is this true?

No; once a machine has been infected, a virus can be hidden inside any file.

 

[WWGD]

Reading a bit further I guess I was wrong on the potential effectiveness of VMs. It seems viruses can be programmed to detect whether they are in a VM and not be activated then.

 

[sysprog]

Reading a bit further I guess I was wrong on the potential effectiveness of VMs. It seems viruses can be programmed to detect whether they are in a VM and not be activated then.

Yes. They can, for example, detect what kind of machine they are defined to be, and check whether their own performance is consistent with the definition -- or interrogate what kind of RAM they're running on, e.g. DDR3 1333 mhz, and notice that they're going slower etc. -- you can't deprive them of access to the real system clock and still expect them to play a song correctly, so they have an objective external reference as basis upon which to make such comparisons.

 

[sysprog]

NO! The safest method is to clone your HDD and SSD's before. Cloning once a month say, is the safest method guaranteed to protect you from malware plus you don't need to pay any money for anti-virus.

That's a good strategy if used daily.

You don't want to lose a month of your work by restoring the entirety of your drive with a cloned image that is a month old.

Ransomware comes to mind -- if AV software fails to block it in advance, you are hosed.

To use your strategy without risking more than a day of work, for a 1TB HDD, you could use, for example, an external 4TB USB HDD, and schedule a daily task that writes a clone image, then deletes the oldest image so that you won't run out of space.

You can partition the drive into a <1TB bootable system partition that has the restore software on it, and use the rest for a partition on which to store 2 consecutive uncompressed sector-by-sector images, keeping >1TB freespace available for the next day's image.

 

[sysprog]

True, but because you run it, not because you copy it. See the difference? I think just copying doesn't get you a virus. Of course I am not saying you shouldn't disinfect it using an antivirus. Just don't run the file until you disinfect ...
E.g. if you delete an infected file before you even run it, I think it's like it never existed (whether on computer, disc or USB).
However, experts can correct me, if I am wrong. (e.g. @Greg Bernhardt, @Mark44 or others)
Cf. also post #8 above etc.

In principle, that's true for a standalone .exe file that has no dependencies and upon which other files do not depend and would not act; however, you can't rely on it, because many files are interdependent, so you won't always know whether you've "run" them or not.

For a purely hypothetical example: you wouldn't enter 'whatever.dat' into a command prompt, and if you deleted such a file because you thought it shouldn't be there, you might think you were fine, but if a non-malicious executable program always recognized any '*.dat' file in its directory as input that it should act upon, then if that program were to be run, it could be too late by the time you deleted the .dat file.

You have to be careful.

 

[Quasimodo]

That's a good strategy if used daily.

You don't want to lose a month of your work by restoring the entirety of your drive with a cloned image that is a month old.

Always true, if you would be running a server.

For the average user however the best strategy would be to copy a new day's work files into a USB stick every day and resort to the somewhat more drastic methods like cloning once a month or whenever he or she is about to install a new program or when a potent malware is to be inspected.

 

[sysprog]

Always true, if you would be running a server.

Most servers use a different strategy. To use the procedure described, you don't have to be running a server, but you do have to have your machine running when the scheduled task is set to commence, and not shut it down until the procedure has run to completion, or you will miss that day's image.

For the average user however the best strategy would be to copy a new day's work files into a USB stick every day and resort to the somewhat more drastic methods like cloning once a month or whenever he or she is about to install a new program or when a potent malware is to be inspected.

That's incorrect. You could still lose a month of work that way. While you're surfing the net, a ransomware could encrypt all your work files, and you would then have only your most recent day's USB stick file, plus your last full drive image.

 

[Dr Transport]

even daily backups get corrupted with a virus, so seriously, how are you going to know exactly when you were infected. The best thing to do is alway scan y any incoming files with a virus checker before downloading them.

 

[Quasimodo]

Most servers use a different strategy. To use the procedure described, you don't have to be running a server, but you do have to have your machine running when the scheduled task is set to commence, and not shut it down until the procedure has run to completion, or you will miss that day's image.

NO! There's RAID cloning software available.

That's incorrect. You could still lose a month of work that way. While you're surfing the net, a ransomware could encrypt all your work files, and you would then have only your most recent day's USB stick file, plus your last full drive image.

The last day files plus all your previous work files up to the 1 month (15 days or whatever) should be in the USB stick. Every day you should add new files to the previous ones. And you should utilize 2 or 3 USB's just in case the newly written one gets infected.

 

[sysprog]

NO! There's RAID cloning software available.

There are different RAID architectures; however, software can't run if you turn off the machine.

The last day files plus all your previous work files up to the 1 month (15 days or whatever) should be in the USB stick. Every day you should add new files to the previous ones. And you should utilize 2 or 3 USB's just in case the newly written one gets infected.

I interpret that to more clearly mean that the daily work file updates would be kept cumulatively for at least a month.

The following sentence is not clear about that:

For the average user however the best strategy would be to copy a new day's work files into a USB stick every day

That was what I said was incorrect. I interpreted it to mean that you supposed that only the current day's work need be kept on a USB stick. I agree that using a separate procedure for the work files, provided that the dailies for them are cumulative between full drive backups, would be a viable option.

Your original proposition was that monthly HDD and SSD image backups would eliminate the need for AV software. In response, I pointed out that monthly wouldn't be sufficient, because you'd risk losing up to a month of your work, and that using an automated process by which the drive images were done daily would mean that you'd reduce that exposure to a day.

 

[sysprog]

even daily backups get corrupted with a virus, so seriously, how are you going to know exactly when you were infected. The best thing to do is alway scan y any incoming files with a virus checker before downloading them.

The process as I outlined it was a sketch. Actually implementing something like it safely instead of using an AV product is rather involved. I don't recommend it except as it may be implemented by a competent technician.

 

[Quasimodo]

The process as I outlined it was a sketch. Actually implementing something like it safely instead of using an AV product is rather involved. I don't recommend it except as it may be implemented by a competent technician.

I have seen hundred of users had to re-install their OS and all the programs just because a virus infected the MBR or OS. Simple disk imaging might work or might not work depending on the case and severity of infection.

That's why I recommend disk-cloning at least once a month. It's not an easy process for the average user it's true. And what makes you think that you can't clone a RAID disk? Disk Imaging and Cloning are entirely different procedures.

 

[sysprog]

The process as I outlined it was a sketch. Actually implementing something like it safely instead of using an AV product is rather involved. I don't recommend it except as it may be implemented by a competent technician.

I have seen hundred of users had to re-install their OS and all the programs just because a virus infected the MBR or OS. Simple disk imaging might work or might not work depending on the case and severity of infection.

Yeah, but you were the one who said (in response to @WWGD):

NO! The safest method is to clone your HDD and SSD's before. Cloning once a month say, is the safest method guaranteed to protect you from malware plus you don't need to pay any money for anti-virus.

(emphasis added)

That's why I recommend disk-cloning at least once a month. It's not an easy process for the average user it's true.

I didn't say what you appear to be indicating me to have said. I think mere disk cloning is easy enough for most users. What I in fact said, in response to the contention of @Dr Transport to the effect that AV software was the right choice, was:

The process as I outlined it was a sketch. Actually implementing something like it safely instead of using an AV product is rather involved. I don't recommend it except as it may be implemented by a competent technician.

(emphasis added)

That's not the same as saying that simple disk cloning is difficult. What would be rather involved would be setting up a regimen that implemented an automated procedure for robustly preserving prior information states, such that one could confidently dispense with use of AV products.

And what makes you think that you can't clone a RAID disk?

I gave no indication that I thought that you can't clone a RAID disk. You can image or clone any disk. The disks and the sectors thereon don't know that they're part of an array.

Imaging and Cloning are entirely different procedures.

If by 'cloning' you meant keeping a second device of exactly the same type as the first, and then rendering the second device such that you could swap the 2 devices, with the 2 devices performing indistinguishably from each other, just as you can with RAID 1, that would be the most accurate use of the term.

You didn't say anything about buying a second HDD or SSD of the same model as the first. so I didn't assume that was what you meant.

The process of making such a clone is normally accomplished by imaging the first device, and then copying from the image to the second device in such manner as to make the second device sector-by-sector informationally equivalent to the first.

More informally, in an information state preservation context, people often refer to making a restorable image and then storing the image to another device for safekeeping as 'cloning', because that's the first half of cloning, and because using the image to restore a prior state to the first device employs the same process as using the image to render a second device the same as the first does.

 

[Quasimodo]

You didn't say anything about buying a second HDD or SSD of the same model as the first. so I didn't assume that was what you meant.

The process of making such a clone is normally accomplished by imaging the first device, and then copying from the image to the second device in such manner as to make the second device sector-by-sector informationally equivalent to the first.

No! There is no need for the second drive to be of the same model or capacity as the first ( only different types HDD to HDD and SSD to SSD respected. )

And No again, cloning is done on the fly, no need for image file created beforehand.

 

[sysprog]

No! There is no need for the second drive to be of the same model or capacity as the first ( only different types HDD to HDD and SSD to SSD respected. )

And No again, cloning is done on the fly, no need for image file created beforehand.

Please be more specific about exactly what you mean by cloning once a month, and about how that plus backing up a month of work files on USB sticks would eliminate your need for AV products.

 

[Quasimodo]

Please be more specific about exactly what you mean by cloning once a month, and about how that plus backing up a month of work files on USB sticks would eliminate your need for AV products.

When cloning a drive an exact copy of the drive including its MBR, or GPT and partitions is created directly to the target location. This means you get an immediate copy including the hard disk structure, cluster by cluster and sometimes sector by sector ( bad sectors included.) A cloned disk or drive contains all the partition structure from the source disk or drive. A cloned system HDD or SSD that contains the operating system can be mounted as a new drive and immediately booted.

With ordinary backup where the entire content of the selected drive or partition are backed up into a file ( known as an Image ) on to the target location, a backup software is required in order to restore the system or data to a previous state or access the files and documents in the drive. As a result the drive is never bootable. The backup software may or maynot reside inside a drive already infected with a virus thus rendering the newly created copy infected again. Thus the file image ( residing on a separate USB or HDD ) will always be clean, yet the machine used as to re-instate the copy usable again, won't be!

With Cloning you dispense with the infected drive or drives 100%, and your system immediately boots without further action.

 

[sysprog]

What you said is accurate; what about the second part of the question -- please describe in a bit more detail how you envision using cloning to eliminate the need for AV software.

 

[russ_watters]

What you said is accurate; what about the second part of the question -- please describe in a bit more detail how you envision using cloning to eliminate the need for AV software.

I think @Quasimodo is saying you can just restore from the clone if you get an infection so there is no need to attempt prevention. Altogether this is a very bad strategy because:
1. It allows infections to happen (and spread).
2. It allows loss of data to happen(even if only a day).
3. It assumes the infection will manifest instantly and the clone won't be infected, which is just so not true.

 

[Quasimodo]

1. It allows infections to happen (and spread).
2. It allows loss of data to happen(even if only a day).
3. It assumes the infection will manifest instantly and the clone won't be infected, which is just so not true.

Assuming everything you've said it's true:

In case of a virus failure detection, would you like to re-install your OS and all programs from scratch or plug in a clone disk and continue your work from where you left off?
No, the clone will never be infected, the ONE clone that will contain your OS and your programs and your most valuable files. You will have many other updated copies if you wish but not this ONE!

Disease ( virus ) is bad, cure ( anti-virus ) is better, a new man ( clone ) is best!

 

[russ_watters]

In case of a virus failure detection, would you like to re-install your OS and all programs from scratch or plug in a clone disk and continue your work from where you left off?

Yes, cloning is a good recovery strategy. But it is not a substitute for prevention or removal.

No, the clone will never be infected

That isn't true: it assumes you will notice the infection - without a virus scanner(!) - before your clone is infected. Odds of that happening are very low. Lots and lots of viruses have latency/incubation periods specifically for that reason. Obviously a virus has to spread to be successful, which means it has to use the host to spread before destroying the host.

 

[Quasimodo]

No, the clone will never be infected

This is not my whole sentence.
The whole sentence is:

No, the clone will never be infected, the ONE clone that will contain your OS and your programs and your most valuable files. You will have many other updated copies if you wish but not this ONE!

Yes, cloning is a good recovery strategy. But it is not a substitute for prevention or removal.

Yes, substituting with an uninfected clone is 100% virus removal. Prevention is the anti-virus. Cloning is the 100% successful removal and restoration of our system to its original pristine condition.

 

[Dr Transport]

Yes, substituting with an uninfected clone is 100% virus removal. Prevention is the anti-virus. Cloning is the 100% successful removal and restoration of our system to its original pristine condition.

again, as many have already said, provided that you know the disk is comprimised. You don't know that a-prior i, therefore you don't know if your monthly clone is virus free or not.

 

[russ_watters]

This is not my whole sentence.
The whole sentence is:
No, the clone will never be infected, the ONE clone that will contain your OS and your programs and your most valuable files. You will have many other updated copies if you wish but not this ONE!

If you're saying you would clone your system right after installing all of your software, then make additional clones later with recent backups, that's fine, and I've done it in the past when I used to install and try a lot of software (the shareware days), but it still doesn't help you with the data loss issue in the more recent backups. It means you can get a do-over of your system from when it was first set up, but you still lose some amount of data depending on how many and how frequent your other backups are.

Cloning is the 100% successful removal and restoration of our system to its original pristine condition.

That's fine, as long as you recognize it still could mean losing some or all of your data generated since the original clone. It's still a terrible idea as a substitute for a virus scanner.

And, of course, you need a virus scanner to identify which of your clones are infected and which aren't, unless you want to install all of them, one at a time, until you get to the clean one.

 

[Quasimodo]

If you're saying you would clone your system right after installing all of your software, then make additional clones later with recent backups, that's fine, and I've done it in the past when I used to install and try a lot of software (the shareware days), but it still doesn't help you with the data loss issue in the more recent backups. It means you can get a do-over of your system from when it was first set up, but you still lose some amount of data depending on how many and how frequent your other backups are.
That's fine, as long as you recognize it still could mean losing some or all of your data generated since the original clone. It's still a terrible idea as a substitute for a virus scanner.

And, of course, you need a virus scanner to identify which of your clones are infected and which aren't, unless you want to install all of them, one at a time, until you get to the clean one.

I think we agree. I think the OP's question was how to safely read a USB memory stick and not get infected by a virus. To which I replied take a clone copy of your disks first and then read. ( At least that's what I hoped that it was understood, hence no need for anti-virus.) Then we got lost to what a disk imaging and disk cloning really is...

 

[russ_watters]

I think we agree. I think the OP's question was how to safely read a USB memory stick and not get infected by a virus. To which I replied take a clone copy of your disks first and then read. ( At least that's what I hoped that it was understood, hence no need for anti-virus.) Then we got lost to what a disk imaging and disk cloning really is...

No, we don't agree (except that the nuts and bolts of how you use the clone(s) isn't the issue). The issue is that your advice/position that a virus scanner isn't needed is very bad advice. There is no way to use a clone that eliminates the need for a virus scanner.

 

[Dr Transport]

Let me add one more comment. I work in a place where we have constant virus scanners running on all systems, even those that are not connected to the internet. As far we are concerned, if you touch the internet just once, you are compromised. The only way you can be completely sure you don't have anything on your computer is to NEVER touch the internet, install software from media from the original provider and never load a file from an external source. Right now, that would eliminate pretty much any and all external software, Windows, Office365 etc since it is only loaded from online. Even Matlab would be difficult since you don't get any media any longer.

Kind of limits your productivity doesn't it.